小米
小米路由 4A 分析 • 0x01:Get Shell 路由器暴露串口,焊接之后上电,查看启动信息。 Erasing SPI Flash... raspi_erase: offs:20000 len:10000 . Writing to SPI Flash... . done ## Booting image at bc160000 ... Image Name: MIPS OpenWrt Linux-3.10.14 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 1425061 Bytes = 1.4 MB Load Address: 80000000 Entry Point: 80000000 Verifying Checksum ... OK Uncompressing Kernel Image ... - init - [ 5.750000] ra2880stop()...Done [ 5.760000] Free TX/RX Ring Memory! init started: BusyBox v1.19.4 (2019-04-01 03:43:26 UTC) Please press Enter to activate this console. rcS S boot: INFO: rc script run time limit to 65 seconds. [ 6.120000] MIWIFI crash syslog initialize skiped! Code=1 [ 16.250000] ipaccount: ifname [eth0.1] event[4] [ 16.250000] ipaccount: ifname [br-lan] event[4] [ 16.250000] ipaccount: ifname [eth0.2] event[4] 看到 Booting image是0xBC160000,基本可以判断是联发科mt762x的soc。 内核启动后不能输入,应该是没有设相应内核参数。 为了 get shell,我们来修改一下启动脚本: 把